from the say-bye-bye-to-credibility,-rsa dept

Earlier this year, the Snowden leaks revealed how the NSA was effectively infiltrating crypto standards efforts to take control of them and make sure that backdoors or other weaknesses were installed. Many in the crypto community reacted angrily to this, and began to rethink how they interact with the feds. However, Reuters has just dropped a bombshell into all of this, as it has revealed that not only did the NSA purposefully weaken crypto, it then paid famed crypto provider RSA $10 million to push the weakened crypto, making it a de facto standard.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

The earlier disclosures of RSA's entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.

If this is true, it represents a serious attack on RSA's credibility. While RSA, now owned by EMC, put out a statement saying that "under no circumstances does RSA design or enable any back doors in our products" Reuters sources seem to suggest something quite different. While it might not be seen as "designing or enabling" back doors, that is the effective result of this.

Reuters spoke to a number of former RSA employees, many of whom said it was a huge mistake for RSA to make this deal, showing how the company had strayed far away from its initial mission. Others suggest that the NSA basically duped the RSA on this, such that RSA agreed to the deal, without realizing they were promoting a compromised standard. That's not a totally crazy assertion, but it's not particular comforting either way. While it seems crazy to trust the NSA, for years, many people did recognize that the NSA did employ many top crypto experts, and it was believed that, rather than compromising crypto, they were helping to build stronger crypto. Yes, some were always suspicious of this, but it wasn't entirely crazy to think that a crypto standard supported by the NSA was for good reasons. Of course, it is now quite apparent that the skeptics were exactly correct all along. And RSA's agreement to take this money from the NSA and to promote compromised crypto now has to call into question pretty much all of RSA's activities.

$10 million doesn't seem like that much to make on a deal in which you effectively undermine the entire reason why anyone does business with you. As someone in the article notes, the deal was "handled by business leaders rather than pure technologists." And it shows.

from the you-lost-me dept

We've seen it argued that privacy is a bad thing. People like former DHS official Stewart Baker have argued that the privacy-protecting efforts of civil liberties activists are the reason we're forced to be fondled and de-shod at TSA checkpoints. Not only that, he's tried to blame the 9/11 attacks on "rise of civil libertarianism." Unbelievably, we've also had a politician recently claim that your privacy isn't violated if you don't notice the violation.

We've also seen attacks on anonymity by (anonymous) police officers and a whole slew of pundits and politicians who believe the only thing online anonymity does is provide a shield for trolls, bullies and pirates to hide behind. Efforts have been made to outlaw online anonymity, but fortunately, very few laws have been passed.

A dogmatic allegiance to anonymity is threatening privacy, according to Art Coviello, executive chairman of RSA.

Coviello cast anonymity as the "enemy of privacy" because it gives "free reign to our networks to adversaries" with "no risk of discovery or prosecution."

On one hand, anonymity is slowing down the pursuit of online criminals. On the other hand, companies are increasingly wary of subjecting their employees to intrusive security software.

Customers are caught in a Catch-22. They're afraid to deploy technology for fear of violating workers' privacy" even though security intelligence tools are ultimately the best way to protect personal information, Coviello argued.

How Coviello arrives at the conclusion that anonymity is damaging privacy isn't exactly clear. It may be the enemy to security (or at least, unhelpful to retributive actions), but the online anonymity shielding crooks doesn't threaten users' privacy, at least not directly. Indirectly it could, but it wouldn't be anonymity's "fault." If Coviello wants attackers to be stripped of anonymity, there's little doubt he'd like to see clients' employees stripped of their privacy. Both would make his companies' jobs easier. Attackers would be easily identified and clients would received (arguably) better protection (thanks to more, non-anonymized data gathering). Win-win for security. Not so much for those who cherish privacy and anonymity.

RSA executive chairman Art Coviello has criticised privacy advocates for basing their arguments on “dangerous reasoning”, comments that have already earned him a tongue lashing from Big Brother Watch and the Open Rights Group.

Coviello, whilst noting the need for privacy, lambasted privacy groups’ “knee jerk” reactions to public and private sector attempts to improve people’s security, pointing to the “insanity” of the situation, in a keynote to open the RSA 2012 conference in London this morning.

In Coviello’s view, privacy advocates are over-reacting to measures designed to protect online identities, preferring to live in a world of danger: “Because privacy advocates don’t realise that safeguards can be implemented, they think we must expect reasonable danger to protect our freedoms,” Coviello said.

“But this is based on dangerous reasoning, a knee jerk reaction, without understanding the severity and scope of the problem.

“Where is it written that cyber criminals can steal our identities but any industry action to protect us invites cries of Big Brother.”

Not for nothing has someone noted that RSA is only a letter away from the United States' most notorious intelligence agency.

Coviello's arguments here aren't that much different than the government's opinions on the "liberty vs. security" balance. And like other defenders of intrusive programs, Coviello refers to the statements of critics as an "over-reaction." But is it? He bristles at being compared to Big Brother but his thought processes roughly align with the government's foremost proponents of intrusive programs. According to both, people just don't understand how bad things actually are, and in our unenlightened state, we're making the wrong choice between security and liberty.

Additionally, the "knee jerk reaction" he sees in privacy activists is, in reality, no different than the knee jerk reactions he fails to see in security and intelligence entities. While privacy activists are focused on retaining what's remaining and make small pushes for more, security/intelligence agencies leverage every tragedy or attack to expand their scope and dial back privacy protections.

But where his argument against privacy (and anonymity) ultimately falls apart is in his belief that collecting and storing large amounts of private data is the best solution for all involved.

To “suggest the only way to protect against cyber crime is to sacrifice privacy and civil liberties is absurd,” Nick Pickles, director of privacy campaign group Big Brother Watch, told TechWeekEurope. “It is a simple fact that if data has not been collected, it cannot be stolen, lost or misused. The best safeguard for consumers and businesses is for data not to be collected unless it is absolutely essential, and then deleted as soon as it is no longer required.”

As for his complaints about anonymity? It's pretty much all or nothing. You can't whip up statutes and laws that allow anonymity and their privacy protections unless you're a criminal. Either you take the good with the bad or you eliminate it for everybody. No one's going to agree with that last one, so security groups and companies will just have to deal with the fact that their adversaries will be cloaking their identities. Cops may wish robbers wouldn't wear masks when committing crime, but that's the way it goes. You can't ban the sale of masks simply because someone holds up a bank wearing one.

I'm sure he understands this, but he's in a field where security is valued over privacy. But that's the expected mindset for someone is his position. The problem is that those with his mindset expect others to come to the same conclusion -- and when they don't, they're portrayed as part of the problem.

"I absolutely hate the term 'Cyber Pearl Harbor'," he said. "I just think it's a poor metaphor to describe the state we are really in. What do I do differently once I've heard it? And I've been hearing it for 10 years now. To trigger a physically destructive event solely from the internet might not be impossible, but it is still, as of today, highly unlikely."

Coviello may not like this particular FUD, but claiming anonymity and privacy are standing in the way of security isn't that far removed from the panicky assertions of the "cyber Pearl Harbor" types.

from the well-of-course-they-are dept

Nearly two years ago, This American Life did an incredible episode about patents and patent trolling, which really got the issue of patent trolling into the mainstream. At the center of that episode was an exploration into Intellectual Ventures, the world's largest, most obnoxious patent troll. The story revolved around one single patent (5,771,354), which Intellectual Ventures itself had held up as an example of how they were really just helping the poor, brilliant, lone inventor who was being ripped off. In that story, This American Life reporter/producer Alex Blumberg and NPR New reporter Laura Sydell tried to follow the story of that patent to exonerate Intellectual Ventures and show that, indeed, it was helping small inventors get their due. But the story turned out to not stand up to even the slightest amount of scrutiny. Because when they went in search of the inventor, Chris Crawford, he refused to respond to them, and then IV itself noted that it had "sold off" the patent and it was currently engaged in litigation. The entity doing the litigation was a company called Oasis Research, which had an empty office in Marshall, Texas with no employees, but had sued over a dozen internet companies for broadly doing online backup.

In a hilarious exchange, IV's Peter Detkin, the guy who coined the phrase patent troll but now likes to delude himself that he's not an executive at the world's largest troll, pretended that it was some sort of "ambush" when Blumberg simply asked him to explain when IV bought the patent from Crawford and then when and to whom they sold it, based on the data on the US Patent Office's own website. Hilariously, Detkin insisted that he hadn't looked at the USPTO website, so he didn't know what was going on.

Detkin: I won't be able to tell you, probably, from looking at this. I mean I'd have to talk to... I'm not even an expert in... You're looking at the USPTO website? I haven't looked at this particular website in a while. I don't know how it's organized....

Alex Blumberg, from TAL: Wait... are you telling me that you're the... (long pause)... you run a patent company and you were the head counsel at Intel in the patent department, and you don't know what the Patent Office website is... you don't know how to read this...?

Detkin: (Frustrated) Look, I can look at this if you want, but I haven't looked at this particular website and I don't now how it's organized, and I'm not exactly sure what it is you're trying to get at... and I'm happy to answer questions, but if you're going to cross-examine me on the record about a patent website, I don't quite think that's fair...

And then a PR person jumped in and tried to kill the interview. Later they went back, and Detkin "explained" the details, claiming that it had bought the patent from Crawford in 2007 and then sold it off to Oasis Research more recently. When Blumberg quizzed him about how the patent is now being used to shake down companies for money (exactly the kind of thing that led Detkin to coin the term patent troll), Detkin insisted that IV had nothing to do with the patent any more, and had no control over these third party entities once it sold off the patents. They then pointed out to him that in the legal documents, Oasis Research had listed Intellectual Ventures as having a financial interest in the outcome of the case, and he brushed it off as an aside -- basically saying, "oh sure, perhaps we receive some royalty from future monetization." Specifically, he said "we get some percentage of the royalty stream down the road that is generated from the monetization of these assets."

Uh huh. So, This American Life has now done a follow up on that first episode, in which they finally get a bunch of answers that eluded them when the first episode aired -- and it's in part because two companies, out of 18 that were sued, fought Oasis Research and won by invalidating the patent. The other 16 likely settled, and hopefully are kicking themselves for giving in to a patent troll and paying the fees. The episode replays some clips from the original episode, including the interview with Detkin above, but what they revealed when all was said and done suggests, yet again, that Detkin was being less than forthright in that interview. The "ongoing royalty"? Apparently Intellectual Ventures got 90% of the net profit from the patent. 90%. That's not an ongoing royalty. That's basically someone who still owns the patent and is using a shell company to pretend that it's not involved in the "dirty business" of demanding exorbitant fees from companies who actually do something.

This American Life also estimates, based on how much Oasis Research demanded from Carbonite ($20 million), that Oasis probably got over $100 million in settlements from the companies that did settle. They also found out that IV paid back to Chris Crawford a nice chunk of change as well. They originally bought the patent for $12 million from him (via a series of shell companies), and then they paid him another 17.5% of any of the money that they collected.

And all this over a bogus patent. Not only was it bogus, but as later came out in court, Chris Crawford apparently filed for the patent by copying someone else's idea. The details are a bit involved, so it's worth listening to the whole thing, but the short version is that Carbonite and EMC tracked down Crawford's "boss" from way back when, and discovered that two other entrepreneurs had come up with the basic idea of backing up data via a network on computers, and they'd hired Crawford to help out. But what they discovered was they were unable to actually make the idea work, for a variety of reasons. They disbanded the company, but Crawford, who took notes at the meetings, later filed for a series of patents using the ideas from that company, and never bothered to tell the guys who were his "partners." Even though the other partners testified that the whole thing had been their idea in the first place, and not Crawford's, patent law is so stupid that Crawford still might have been able to keep the patents if he hadn't made one mistake. Among the piles upon piles of documents he filed with the patent, one of them mentioned one of the original entrepreneurs, and noted that it was that guy's idea.

In a hilarious bit of tape from the deposition of Chris Crawford, he tries to explain away the fact that he used an apostrophe "s" after the entrepreneur's name, to pretend that it had really been Crawford's idea, even though the notes clearly stated otherwise. He argued that he's not very good with grammar, so sometimes he uses an "'s" when he doesn't mean to. But that's even more nonsensical, because if was just a regular s, meaning plural, then the sentence wouldn't make any sense.

While that bit of evidence was damning enough to get the jury to knock out the patent, as the report notes, the jury still wouldn't accept the direct testimony of the other three partners in the business with Crawford, saying only that the patent (which is completely bogus in its own right) probably should have gone to the one guy who was named in Crawford's notes. If that doesn't show how bogus the patent system is, I'm not sure what else to show people at this point.

Remember a few months ago, when Intellectual Ventures said that there was nothing at all nefarious about their 2,000 or so shell companies? Perhaps they knew what was coming... which was a pretty clear expose of how Intellectual Ventures is very much the same sort of entity that Peter Detkin once claimed were hellbent on holding up innovation. Except, now he's profiting from it. Massively. While pretending not to.

It's clearly time to fix the patent system, and this is just yet another example of a bunch of lawyers shaking down companies that actually do stuff. This is just one little bogus patent, and yet it took $100 million or so from companies who actually innovate and build products that the market wants, and handed it over to lawyers like Peter Detkin to be used to buy up more such patents and sue more people. And this patent probably would have been used for even more similar efforts if Carbonite and EMC hadn't been able to find that one document and its rather important apostrophe s. These lawsuits and these kinds of battles are a massive shift of money from actual innovation... to lawyers and those who failed to build things that people wanted. It's an economic disaster.

from the just-great... dept

You may recall last summer that Apple, Microsoft, EMC, RIM, Ericsson and Sony all teamed up to buy Nortel's patents for $4.5 billion. They beat out a team of Google and Intel who bid a bit less. While there was some antitrust scrutiny over the deal, it was dropped and the purchase went through. Apparently, the new owners picked off a bunch of patents to transfer to themselves... and then all (minus EMC, who, one hopes, was horrified by the plans) decided to support a massive new patent troll armed with the remaining 4,000 patents. The company is called Rockstar Consortium, and it's run by the folks who used to run Nortel's patent licensing program anyway -- but now employs people whose job it is to just find other companies to threaten:

But Widdowson is a specialist. He's one of 10 reverse-engineers working full time for a stealthy company funded by some of the biggest names in technology: Apple, Microsoft, Research In Motion, Sony, and Ericsson. Called the Rockstar Consortium, the 32-person outfit has a single-minded mission: It examines successful products, like routers and smartphones, and it tries to find proof that these products infringe on a portfolio of over 4,000 technology patents once owned by one of the world's largest telecommunications companies.

When a Rockstar engineer uncovers evidence of infringement, the company documents it, contacts the manufacturer, and demands licensing fees for the patents in question. The demand is backed by the implicit threat of a patent lawsuit in federal court. Eight of the company's staff are lawyers. In the last two months, Rockstar has started negotiations with as many as 100 potential licensees. And with control of a patent portfolio covering core wireless communications technologies such as LTE (Long Term Evolution) and 3G, there is literally no end in sight.

The article admits that Nortel got most of these patents because it wanted them for "defensive" reasons. And now look at how they're being used. Remember that the next time you hear a company promise to only use its patents defensively. There's also a ridiculous quote from Rockstar's CEO, John Veschi:

“A lot of people are still surprised to see the quality and the diversity of the IP that was in Nortel,” he says. “And the fundamental question comes back: ‘How the hell did you guys go bankrupt? Why weren’t you Google? Why weren’t you Facebook? Why weren’t you all these things, because you guys actually had the ideas for these business models before they did?’"

The real answer, of course, is because patents are meaningless. Ideas are worth nothing by themselves. Ideas only matter if you execute, and anyone who's ever actually executed on an idea will tell you that the original idea almost is never reflected in the final product. The process of going from idea to actual product is a process by which you learn that what matters is not what you thought mattered. And yet, for reasons that make no sense to anyone who has ever actually built a product, creating monopolies around the ideas only serves to create a massive tollbooth towards actual innovation. And that's what we have here -- and it's funded by Apple and Microsoft.

Once again, we see that these two large companies are using the patent system not to innovate, but to stop up and coming competitors from innovating. The patent system isn't being used to encourage innovation but to protect incumbents from an open market.

Oh, and worst of all, the reason that the antitrust effort was dropped was because Apple and Microsoft promised to license the key patents under "reasonable terms." But... Rockstar is not subject to that agreement.

But the new company — Rockstar Consortium — isn’t bound by the promises that its member companies made, according to Veschi. “We are separate,” he says. “That does not apply to us.”

That seems quite problematic, and perhaps worthwhile for the government to reopen its investigation...

from the this-won't-end-well dept

Well, it wasn't too difficult to see this one coming. A year ago, all that was left of Nortel was a giant patent portfolio that everyone knew would result in a bidding war. At the time, people predicted the portfolio was worth an astounding $1.1 billion. Back in April, Google made news by placing a $900 million "stalking horse" bid for the patents, which had many people shaking their heads at the size of the bid. Google had made it pretty clear that it was seeking to buy the patents to keep them from being used by others to sue and block Google. Of course, Microsoft whined and complained to the government about how unfair it would be if Google won the patents. The government was apparently unconcerned.

So, Microsoft apparently got together with Apple, EMC, Ericsson, RIM and Sony... and coughed up an insane $4.5 billion. It's kind of brilliant in a nefarious way. With six companies together, they could each spend less than the $900 million initially pitched by Google... and then just all agree not to sue each other, but leave open the option to sue anyone else. And, given just how aggressive these companies have been with patents lately, you can rest assured that "license" demands will be made and there will almost certainly be lawsuits. Progress via the courtroom, apparently.

from the a-simple-warning dept

An anonymous reader sent in the following story about how some large software companies are suddenly increasing the number of "software audits" they're doing of enterprise buyers. Most enterprise software contracts include license terms that allow the software provider to "audit" the buyer, to make sure they're not abusing the license. As the article notes, however, such audits usually only come at one of two times: (1) when a company threatens to switch to another vendor or (2) when the company has received info from a reliable source that the license was being abused.

However, it looks like with the economy in freefall -- and IT spending being cut back, some enterprise software companies might be thinking that another way to squeeze some money out of customers is to audit them and force a larger bill on them. Of course, this seems like a plan that could backfire in a big, big way. As noted in the article, being audited is not a pleasant experience at all. It's basically a vendor claiming that it thinks you're breaking your agreement. It's not the best way to build up a strong relationship of trust. Because of that, a sudden increase in totally unexpected and uncalled for audits may seriously damage a company's reputation and drive them to proactively look for alternatives from companies who trust them. Treating your customers like criminals is never a good idea...

from the coincidence? dept

We're sure the timing of this is a total coincidence, but just one day after EMC subsidiary VMWare skyrocketed in its market debut, software maker Citrix systems has announced the purchase of Xensource, a privately held maker of virtualization technology. It's hard to say whether Citrix got a good price on the $500 million deal, but considering the timing, you have to figure that Xensource was able to attract quite the premium. As Paul Kedrosky noted yesterday, the VMWare IPO seemed likely to spur the hunt for more such deals. Who knew things would get kicked off so quickly?